Congressional State of Play: Cross-border Law Enforcement Demands for User Data

Let’s say a U.S. law enforcement agency obtains a warrant against a criminal suspect. As a part of the investigation, the agency requests that an online service provider hand over the suspect’s emails, which in this case are located on a server abroad. Does the provider have to comply? Not according to what is colloquially known as the “Microsoft-Ireland” decision from last year. In Microsoft, the Second Circuit held the Stored Communications Act (SCA) could not be used to compel Microsoft to disclose a user’s email content stored extraterritorially—in that case, exclusively on an Irish server. Instead, U.S. law enforcement must use the now-cumbersome and slow Mutual Legal Assistance Treaty (MLAT) process to request data through their international counterparts. Given the limits of the existing SCA, the Court called for Congress the change the law to address how U.S. companies hold data overseas.

At a May 24 hearing, members of Senate Judiciary Committee Subcommittee on Crime and Terrorism came to a consensus that the system for cross-border data requests is broken. They agreed with witnesses that technology companies are situated amid conflicting state interests in two related scenarios: 1) when U.S. providers receive requests from U.S. law enforcement for data possibly stored outside the U.S.—akin to Microsoft-Ireland, and 2) when U.S. providers receive requests from foreign law enforcement for data those providers control. In the latter scenario, the SCA prevents providers from disclosing email to foreign law enforcement without a warrant issued pursuant to the MLAT process.

Unfortunately, as Chairman Lindsey Graham highlighted, the MLAT process is antiquated and no longer effective in a fast-paced digital era, echoing concerns from law enforcement agencies around the world. The committee resolved to address the adverse impact of the Second Circuit’s 2016 decision in a bipartisan manner that would reflect modern technological considerations and the privacy, security, and law enforcement equities at stake.

Representing the U.S. law enforcement perspective was Brad Wiegmann, Deputy Assistant Attorney General of the Department of Justice’s (DOJ) National Security Division. He testified that DOJ has identified over 100 incidents of impeded investigations due to tech companies’ unwillingness to share a user’s electronic data following the Microsoft-Ireland decision, and urged Congress to find a solution to that side of law enforcement’s cross-border conundrum.

To address the second scenario described above, Wiegmann renewed DOJ’s commitment to a proposed bilateral agreement between the U.S. and United Kingdom. First announced last year, the U.S.-UK agreement would permit UK law enforcement to directly request communications content from U.S. providers pursuant to their own form of lawful process. DOJ’s hope is that this agreement would be the first of many such bilateral arrangements between the U.S. and like-minded nations with similar law enforcement needs. Weigmann noted that in order for such bilateral agreements to take effect, Congress would need to pass a legislative framework that both amends the Stored Communications Act’s disclosure provisions to allow direct responses by U.S. providers to requests from foreign law enforcement, and sets human rights, rule of law, and legal process standards for the community of nations that might be eligible for such agreements with the U.S. Weigmann indicated that DOJ would be issuing a new draft legislative proposal, similar to one it transmitted to Congress last year, in the near future. Importantly, Weigmann noted that DOJ’s proposal would not factor into existing debates over surveillance or encryption, and would help stem the tide of increasing data localization efforts abroad.

Paddy McGuinness, the UK’s Deputy National Security Advisor, also testified, providing the perspective of foreign law enforcement agencies. McGuinness noted that increasing amounts of criminals’ communications take place over services provided by U.S. technology companies. McGuinness also took time to describe the changes made to the UK’s investigatory powers regime under the recently-passed Investigatory Powers Act, which includes expansions to UK law enforcement’s ability to request data from providers, along with substantive changes to the procedures through which such requests are made.

Senator Orrin Hatch, long involved in discussions of cross-border law enforcement issues, acknowledged that law enforcement’s demand for data inherently conflicts with privacy, and again put forth his proposed solution to the Microsoft prong of the problem: a revised version of the International Communications Privacy Act (ICPA), a bill he first introduced last year. ICPA would permit U.S. law enforcement to obtain the extraterritorially stored communications of U.S. persons or persons reasonably believed to be located in the U.S. pursuant to a probable cause-based warrant. In Senator Hatch’s view, DOJ’s proposed legislation does not fully resolve the conflict of laws dilemma faced by U.S.providers—including, for example, a pending Brazilian law that prohibits technology companies from disclosing Brazilian citizens’ data—whereas ICPA might take steps in that direction.

Brad Smith, Microsoft’s Chief Legal Officer, testified from the perspective of the technology industry and as a representative of the company that had most acutely faced the cross-border problem in court. He testified that a complete reversal of Microsoft would “literally take us back to a law that was passed when Mark Zuckerberg was two years old,” and “simply wouldn’t work” because it puts technology companies in the conflict of law dilemma highlighted by Senator Hatch. Smith also mentioned that no action on the issue leaves companies facing astronomical fines in some jurisdictions (e.g. under the European Union’s looming General Data Protection Regulation), and puts American jobs at risk. In Smith’s opinion, the DOJ’s legislative proposal opens the door solving part of the problem while balancing privacy and security, but more work must be done.

Jennifer Daskal, Associate Professor at American University Washington College of Law, testified that a clean reversal of the Second Circuit’s decision in Microsoft would be problematic and ignore foreign states’ comity interests. Daskal advocated that courts engage in a careful examination of the location of the crime, suspect, and its victim; location of data alone to determine jurisdiction is problematic because data is constantly moving. Daskal explained that a user’s location or nationality is more reliable and solves the issue of notice asymmetry since a user has expectations or presumptions about the law based on where he or she is located. This is similar to the framework Senator Hatch is preparing in the revised version of his proposed ICPA. We can expect to see a revised ICPA reintroduced by Senator Hatch: “ICPA is one of my top priorities,” he remarked, “and I plan to push very hard for it once it’s reintroduced.”

Next week, the House Judiciary Committee will also be holding a hearing on law enforcement access to data stored abroad. Chairman Bob Goodlatte has stated reforming 1986’s Electronic Communications Privacy Act, which contains the SCA and its disclosure prohibitions, as a top priority. While speaking before the Federalist Society at the National Press Club in February, he described the law as, “outdated and contains insufficient privacy protections,” and reform is necessary to, “better protect constitutional rights without impeding law enforcement’s efforts to protect public safety.”

Upcoming Events

About CCIA

CCIA is an international not-for-profit membership organization dedicated to innovation and enhancing society’s access to information and communications. CCIA promotes open markets, open systems, open networks and full, fair and open competition in the computer, telecommunications and Internet industries.